• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

CNAME vs DHCP static mappings

Scheduled Pinned Locked Moved DHCP and DNS
5 Posts 2 Posters 337 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • M
    madbrain
    last edited by madbrain Feb 10, 2025, 11:55 PM Feb 10, 2025, 11:47 PM

    I have DHCP IP reservations for all my network devices. Each reservation includes a hostname, which gets registered in the pfSense DNS. So far, so good.

    I run a number of servers such as Plex, Unifi, etc. I am trying to setup a proper private home PKI with a local CA. Certificates require the DNS hostname or IP in Subject/SubjectAltName in order to work properly in browsers without warning (after installing the CA cert).

    The issue is that I may sometimes relocate the server applications to different hosts on my LAN. So, I'd like to create certs containing application names ca.localdomain, unifi.localdomain, and so on. But the underlying hosts have a different name listed in the DHCP reservation hostname field.

    I see only two solutions.

    I can add "Host overrides" entries in the DNS resolver, but that requires entering an IP address, whereas all I want to do is create aliases based on hostnames. There is a 100% likelihood that the IP addresses in my DHCP reservation table will change over time, as I have a very large network with hundreds of devices, and often process it with scripts to clean up. So, I don't want the IP address to be in two places, as it would be error prone to manage the IP addresses for "Host overrides" when the IP in the DHCP reservation table changes.

    The other possibility would be to reissue a new certificate with a different hostname every time I move an application to a different host. However, I believe that approach not work if I move the CA application itself, as the new CA cert would need to be manually trusted by all clients again.

    What I would really like to see is for the hostname field in the DHCP reservation to allow more than one hostname to be entered for each host, and have the additional ones automatically registered in the DNS as CNAMEs.

    G 1 Reply Last reply Feb 11, 2025, 8:24 AM Reply Quote 0
    • G
      Gertjan @madbrain
      last edited by Feb 11, 2025, 8:24 AM

      @madbrain

      Another solution (?) : a wild card certificate ?
      Add both the DNs names *.domain.tld and domain.tld and now you can exprt that cert and install it on every device in your 'domain' (LAN) :
      pfsense.domain.tld
      printer.domain.tld
      nas.domain.tld
      etc

      No "help me" PM's please. Use the forum, the community will thank you.
      Edit : and where are the logs ??

      M 1 Reply Last reply Feb 11, 2025, 8:21 PM Reply Quote 0
      • M
        madbrain @Gertjan
        last edited by Feb 11, 2025, 8:21 PM

        @Gertjan,

        Thanks for your reply. The wildcard cert would obviate the need for issuing new certs for every server. But it is not best practice to replicate the same private keys across devices. I would like to create a proper CA that issues certs for end-entities (mostly servers, maybe a few clients).

        Also, the wildcard cert still does not resolve the DNS issue. I still need DNS aliases so that unifi.localdomain can point to server1.localdomain, and later be moved to point to server2.localdomain, without having to specify the IP address manually in the the "Host overrides". The second approach I described in my OP also has this problem - the DNS still needs to be manually updated regardless.

        I'm not seeing any solution that doesn't involve duplicating the IP address between 2 screens to create DNS aliases.

        G 1 Reply Last reply Feb 12, 2025, 11:07 AM Reply Quote 0
        • G
          Gertjan @madbrain
          last edited by Feb 12, 2025, 11:07 AM

          @madbrain said in CNAME vs DHCP static mappings:

          But it is not best practice to replicate the same private keys across devices

          Very true.
          I've chosen to do so because I don't handle/keep/store private info like credit card details, nuclear war heads designs or other info that isn't "mine".
          So, basically, I trades some "security" in for pure personal comfort. I'm using the certificate obtained by the acme package on pfSense also for my two NASes, my 3 printers, and the airco controller for the building. upon renewal, the sync between these devices is automated, So no more need to sync up everything every 60 days, my usual cert renewal delay.
          The two NAS do contain my backups but the certificate isn't used for that access, just my two-factor https web GUI access. And no hackers are allowed om my wired only (no wiifi) LAN ^^

          No "help me" PM's please. Use the forum, the community will thank you.
          Edit : and where are the logs ??

          M 1 Reply Last reply Feb 12, 2025, 8:07 PM Reply Quote 0
          • M
            madbrain @Gertjan
            last edited by madbrain Feb 12, 2025, 8:08 PM Feb 12, 2025, 8:07 PM

            @Gertjan Thanks. No high security requirements here either. But I have worked on PKI for much of my career, and I feel there should be a way to implement this cleanly with pfSense.

            I have played with the third party pfSense API package. Wrote some code to export all the DHCP reservations to Smokeping. It's been read-only, so far. I have not figured out how to do something read-write. Being able to edit all the reservations in a spreadsheet, rather than through the GUI would be useful. Same for editing the host overrides for CNAMEs. A good script may be able to synchronize things, if additional metadata is included in the spreadsheet.

            I have got a shit ton of IoT IP devices - over 300 of them. Most Wifi, some wired too. Went to a /22 for my LAN a couple weeks ago. It's on my to-do list to explore VLANs and block as many devices from Internet access as possible. About 250 of them can function with local API without Internet using Home Assistant. I don't believe any of them needs CNAMEs. They don't even need a hostname, but I still assigned hostnames to every single one in the DHCP server table. Can't remember all the names any more than I can the IP addresses, though. I'd love to be able to synchronize data between the pfSense DHCP table and Unifi controller device table. But Unifi has no official API. Only 3rd party, which I have not explored. Synchronizing with Home Assistant as well would be the holy grail. But I don't think their REST API is up to the job either.

            1 Reply Last reply Reply Quote 0
            5 out of 5
            • First post
              5/5
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
              This community forum collects and processes your personal information.
              consent.not_received